From nmap, there are lots of ports opened.

Local Picture

It is the web page on port 80, and it runs Elastix.

Local Picture

I tried to use one of the exploit in searchsploit. It is a LFI for Elastix 2.2.0.

Local Picture

It actually works, and I got the credential.

Local Picture

I successfully login to Elastix with the credential.

Local Picture

And I found that I can also access ssh as root with the credential.

Local Picture